Fortinet white logo
Fortinet white logo

Hyperscale Firewall Guide

Hyperscale and standard FortiOS CGNAT feature comparison

Hyperscale and standard FortiOS CGNAT feature comparison

In many cases, standard FortiOS can provide many carrier grade NAT (CGNAT) features and, depending on the hardware platform, excellent CGNAT performance. Hyperscale FortiOS supports CGNAT with much higher connections per second performance, hardware session logging, and more CGNAT features but does not support these features for UTM traffic.You can license a FortiGate for Hyperscale, use hyperscale firewall VDOMs for non-UTM traffic and normal VDOMs for UTM traffic.

Hyperscale FortiOS also supports a few more CGNAT features than standard FortiOS. The following table breaks down the CGNAT features supported by hyperscale FortiOS and standard FortiOS:

CGNAT Feature Hyperscale FortiOS Standard FortiOS
PBA with no overloading

Yes

Port block allocation CGN IP pool.

No.

FortiOS PBA re-uses addresses.

PBA with overloading

  • Dynamic IP consistency

  • Port block allocation

  • Port reuse within block

  • Deterministic NAT

Yes

Overload with port-block-allocation CGN IP pool.

Yes

Port block allocation

PBA with NAT64

Yes

Overload with port-block-allocation CGN IP pool.

No

Single port allocation (SPA)
  • Dynamic IP consistency

  • No port reuse

  • Deterministic NAT

Yes

Single port allocation CGN IP pool.

No
Single port allocation (SPA) with overload
  • Dynamic IP consistency

  • Port reuse within the entire port range

  • Deterministic NAT

Yes

Overload with single port allocation CGN IP pool.

No
PBA. fixed allocation
  • Static IP consistency

  • Static port block allocation

  • No port reuse

  • Deterministic NAT

Yes

Fixed allocation CGN IP pool.

Yes

Fixed port range

Excluding multiple IPs

The exclude-ip option is available for all IP pool configurations.

Yes

See the description of the exclude-ip option in Port block allocation CGN IP pool.

Yes

IP pool groups

  • Streamlines hyperscale firewall policy configuration.

Yes

CGN resource allocation IP pool groups.

No

Port starting number

5117

5117

Bi-directional session TTL refresh timers

Yes

You can control whether idle outgoing or incoming or both outgoing and incoming sessions are terminated when the TTL is reached. See Hyperscale firewall VDOM session timeouts.

No

Endpoint Independent Mapping (EIM)

Yes

You can enable or disable EIM in a hyperscale firewall policy CGN resource allocation hyperscale firewall policies.

Yes

EIM + overloading (Reuse) is always enabled

Endpoint Independent Filtering (EIF)

Yes

You can enable or disable EIF in a hyperscale firewall policy CGN resource allocation hyperscale firewall policies.

Partially

  • PBA IP pools support EIF by enabling permit-any-host

  • Fixed port range IP pools do not support EIF.

Hyperscale and standard FortiOS CGNAT feature comparison

Hyperscale and standard FortiOS CGNAT feature comparison

In many cases, standard FortiOS can provide many carrier grade NAT (CGNAT) features and, depending on the hardware platform, excellent CGNAT performance. Hyperscale FortiOS supports CGNAT with much higher connections per second performance, hardware session logging, and more CGNAT features but does not support these features for UTM traffic.You can license a FortiGate for Hyperscale, use hyperscale firewall VDOMs for non-UTM traffic and normal VDOMs for UTM traffic.

Hyperscale FortiOS also supports a few more CGNAT features than standard FortiOS. The following table breaks down the CGNAT features supported by hyperscale FortiOS and standard FortiOS:

CGNAT Feature Hyperscale FortiOS Standard FortiOS
PBA with no overloading

Yes

Port block allocation CGN IP pool.

No.

FortiOS PBA re-uses addresses.

PBA with overloading

  • Dynamic IP consistency

  • Port block allocation

  • Port reuse within block

  • Deterministic NAT

Yes

Overload with port-block-allocation CGN IP pool.

Yes

Port block allocation

PBA with NAT64

Yes

Overload with port-block-allocation CGN IP pool.

No

Single port allocation (SPA)
  • Dynamic IP consistency

  • No port reuse

  • Deterministic NAT

Yes

Single port allocation CGN IP pool.

No
Single port allocation (SPA) with overload
  • Dynamic IP consistency

  • Port reuse within the entire port range

  • Deterministic NAT

Yes

Overload with single port allocation CGN IP pool.

No
PBA. fixed allocation
  • Static IP consistency

  • Static port block allocation

  • No port reuse

  • Deterministic NAT

Yes

Fixed allocation CGN IP pool.

Yes

Fixed port range

Excluding multiple IPs

The exclude-ip option is available for all IP pool configurations.

Yes

See the description of the exclude-ip option in Port block allocation CGN IP pool.

Yes

IP pool groups

  • Streamlines hyperscale firewall policy configuration.

Yes

CGN resource allocation IP pool groups.

No

Port starting number

5117

5117

Bi-directional session TTL refresh timers

Yes

You can control whether idle outgoing or incoming or both outgoing and incoming sessions are terminated when the TTL is reached. See Hyperscale firewall VDOM session timeouts.

No

Endpoint Independent Mapping (EIM)

Yes

You can enable or disable EIM in a hyperscale firewall policy CGN resource allocation hyperscale firewall policies.

Yes

EIM + overloading (Reuse) is always enabled

Endpoint Independent Filtering (EIF)

Yes

You can enable or disable EIF in a hyperscale firewall policy CGN resource allocation hyperscale firewall policies.

Partially

  • PBA IP pools support EIF by enabling permit-any-host

  • Fixed port range IP pools do not support EIF.